The GMX Perpetuals Trading course is live on Updraft! Master the GMX protocol and build advanced DeFi apps with insights into pricing, liquidity, and liquidation logic.
Read on for the month's update from Cyfrin, security news, and industry insights.
Updraft Career Tracks are live! Go from beginner to pro with structured learning paths in blockchain foundations, Solidity, Vyper, DeFi, wallets, and smart contract security. Hands-on, expert-designed, and built to launch your web3 career.
New courses and certifications:
Meet the new Solodit: The go-to resource for smart contract security research, now with streamlined UI, faster navigation, global search, and a fully updated checklist page.
CodeHawks Eagles success story: In just over two years, 0xStalin went from DevOps engineer to securing billions in DeFi as a top smart contract auditor.
Completed audits:
Insights to level up your blockchain security skills and knowledge:
From the Solodit Checklist Explained series:
Nobitex ($100M): Pro-Israel hackers exposed a pre-existing money laundering setup, including peelchains, chip-off wallets, and a “rescue” wallet active months before the breach.
AlexLab ($16.1M): A token listing flaw enabled an attacker to use fake tokens to drain vaults via a crafted swap call, bypassing recent audits.
Resupply ($9.5M): A price manipulation attack on a synthetic stablecoin resulted in an exploiter inflating collateral value and borrowing reUSD with minimal risk.
Nervos ($3.7M): A ForceBridge access control flaw led to an attacker drain multi-chain funds, swap to ETH, and launder them through Tornado Cash.
BNB Chain bots ($2M): Poor function restrictions in MEV bot contracts ended in attackers draining assets via crafted internal calls.
Cyfrin’s Farouk ELALEM breaks down how Solana programs run on SBF bytecode in a custom BPF VM, balancing high throughput with strict safety checks.
Pascal Caversaccio open-sourced a Bash script to rescue assets from compromised wallets using EIP-7702, paymasters, and a custom Vyper delegator. No ETH required.
SlowMist warns that jailbroken LLMs like WormGPT and GhostGPT are fueling advanced phishing, scam scripting, and malicious smart contract generation in crypto.
Areta’s State of Crypto Security 2025 report reveals why full-stack security is now essential across the entire web3 development lifecycle.
Safe{Wallet} Co-founder Lukas Schor shares how 100 ETH was rescued after a user bridged to a misconfigured smart account.
wellbyt3.eth notes that infrastructure projects offer $1M+ bounties, while DeFi contests cluster in the $250k–$999k range, hinting at payout variance by project type.
Radcipher explains how bug hunting is about pattern recognition and daily reps, not genius, and shares the system that took them from beginners to top audit contests.
Schedule your certification exam today!
Did someone forward you this newsletter? Subscribe here!